Audit Explorer analyzes a Macintosh BSM audit trail file. The Mac BSM audit system is one of the best in the world, and when configured appropriately, it can be one of the best sources for information security at your disposal. The BSM audit system can record activity that is virtually impossible using any other means, including network-based intrusion prevention systems, firewalls, anti-virus software, and disk forensics tools.
Unfortunately, understanding the BSM audit trails can be challenging at best. The data is very dense and technical, and the standard BSM analysis tools, praudit and auditreduce, can be difficult to use. This is why we developed Audit Explorer. It gives you the power to effectively analyze the BSM audit trail.
Using Audit Explorer
Once Audit Explorer has analyzed a BSM audit trail file, you can use three main windows to explore the results. The Notable Events and Process List windows are survey windows. They give you a starting point to explore the data.
Once you've found something of interest in one of the windows, you can drill down into the details of a particular process. Clicking on the Session ID in the Notable Events window or on the session row in the Process List window brings up extensive details about that process in the Process Details window.
In the Process Details window you can see the arguments passed into the program, the files that were read, written, moved, or deleted, and inbound and outbound connections. Furthermore, you can explore this process's family tree by navigating through the process's ancestors and children. How a process was created can reveal a lot about the process, and processes frequently pass information (e.g., network connection information) between parents and children. In short, to understand a process, you must also understand its family tree.